[ci skip] Fix a bug in FV valid_email()
diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php
index 4f679a1..71d0e64 100644
--- a/system/libraries/Form_validation.php
+++ b/system/libraries/Form_validation.php
@@ -1229,9 +1229,9 @@
*/
public function valid_email($str)
{
- if (function_exists('idn_to_ascii') && sscanf($str, '%[^@]@%s', $name, $domain) === 2)
+ if (function_exists('idn_to_ascii') && preg_match('#\A([^@]+)@(.+)\z#', $str, $matches))
{
- $str = $name.'@'.idn_to_ascii($domain);
+ $str = $matches[1].'@'.idn_to_ascii($matches[2]);
}
return (bool) filter_var($str, FILTER_VALIDATE_EMAIL);
diff --git a/tests/codeigniter/libraries/Form_validation_test.php b/tests/codeigniter/libraries/Form_validation_test.php
index 0815300..c9c404b 100644
--- a/tests/codeigniter/libraries/Form_validation_test.php
+++ b/tests/codeigniter/libraries/Form_validation_test.php
@@ -270,7 +270,7 @@
public function test_rule_valid_email()
{
$this->assertTrue($this->form_validation->valid_email('email@sample.com'));
-
+ $this->assertFalse($this->form_validation->valid_email('email@sample.com foo bar'));
$this->assertFalse($this->form_validation->valid_email('valid_email', '@sample.com'));
}
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 362cd8c..4695edc 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -7,6 +7,10 @@
Release Date: Not Released
+- **Security**
+
+ - :doc:`Form Validation Library <libraries/form_validation>` rule ``valid_email`` could be bypassed if ``idn_to_ascii()`` is available.
+
- General Changes
- Updated :doc:`Form Helper <helpers/form_helper>` function :php:func:`form_label()` to accept HTML attributes as a string.